I wonder for how many people this will be the last updates they ever install. Depending on how next week goes this may be my last but we’ll see. If there is a rise in successful attacks leading to increased botnets as a consequence then that’s on microsoft for taking this dunderhead decision. Then again, we’ve seen unprecedented attacks lately from armies of badly secured IOT devices. Brave new world… :/

Woody: Thanks for the guidance. I have referred a number of non-tech folks to this site and they are able understand what you and the readers are talking about. A+++

I strongly echo your Office comments. I have noticed a gradually increasing ability of MS Outlook to NOT display images and other features of HTML emails from news sources, tech sites, and companies from whom I get informational updates.

You used to get the line at the top that said images were not displayed due to privacy and it had the ability to download the images. Lately that option is often not available and the only option is to view in a browser, a solution I do not like. I suspect that this results from security patches, probably in both Office and Windows. I have not been able to find what settings are the issue.

As a result I now use Thunderbird for a lot of email although I greatly prefer Outlook for its single (or multiple) *.pst file format. I still use Outlook for the archiving process of important emails, since my emergency backup machine still has Outlook, as well as my backup drives, but With most of our laptops on Linux, Thunderbird is starting to look better, especially since I learned how to successfully manage account transfer between Windows and Linux devices.

It looks like dark days ahead, but maybe, just maybe, MS will see the light like HP did with their firmware “update” to kill non-HP ink cartridges. A new firmware “update” reversing the damage is being released. HP of course, did not apologize for the fiasco, instead saying they had not communicated well. How do you say diplomatically, ‘I am going to screw you so I can make more money?’ Unfortunately for HP, many small businesses read between the lines and are abandoning HP for other cheaper, more reliable alternatives vowing to NEVER buy HP again.

Additionally the HP issue is portrayed as anti-consumer in the press, while Win10 and MS Updates is largely crickets in the mainstream media and confined to tech sites and media.

The BIG difference is HP is one of many printer makers, whereas MS is the 900 pound gorilla (now with rabies).

Truly as the Chinese saying goes, “May you live in interesting times.”

“For Group A, patching is much easier. For Group B, the snooping should be less – but there’s no guarantee. You can move from Group B to Group A, but as far as I can tell there’s no way to move from Group A to Group B without completely re-installing Win7 or 8.1.”

I am posting the procedure below for those interested in uninstalling patches and potentially moving from Group A to Group B.

As most of you would know, I am a follower of Group A and after reassessing the recent blog post about “snooping” patches, the only patches which I would accept as not being strictly required are KB2952664 and KB3150513. Everything else can be installed from my point of view and even those 2 mentioned don’t cause any harm, except for somehow increasing the potential for snooping.

I accept Group B style of patching as technically correct based on the condition that all Important patches are installed in addition to Security patches. Not installing Critical (Important non-security) patches is the worst of all worlds as they are the most important patches for fixing the Windows bugs. There are not many of those, only about 10 or around that number. Even Group W users should install the Important non-security patches if nothing else after Service Pack 1. They would have a perfectly working Windows 7 with the security risks involved, which need to be controlled in customised ways by each user assuming those extra risks.

The procedure presented to uninstall patches in bulk is a bit technically involved and not recommended for those who don’t have a very basic level of batch scripting or interested in at least understanding the commands presented. There is always the alternative of manually uninstalling patches from Control Panel for those with enough time on their hands. I did manual uninstall of hundreds of patches few times and I confirm that it works and is clean if there are no errors generated in the process.

Obtain the list of updates:
1. wmic qfe get hotfixid >> c:list.txt
(This will get you the list of all updates that are currently installed.)
2. Open C:list.txt in Notepad. (Remove the first line, it’s just the title)
3. Generate this uninstall script:
for /f %i in (‘type c:list.txt’) do echo
wusa /uninstall /kb:%i /quiet /norestart >> c:uninstall.cmd
4. Go to Edit > Replace and set the following field values: (CTRL+H, Replace “/kb:KB” with “/KB:”)
5. Run the resulting script.
6. Reboot the node.

NOTE: This is what the syntax should look like after you edit with CTRL+H.

wusa /uninstall /KB:981391 /quiet /norestart

**********************************************

The procedure is correct, but because of the large number of patches involved and differences between the level of maintenance of various computers, there is always a chance of error. Reinstalling the OS in Upgrade (Repair) Mode is not more complicated that a Windows 10 update from one edition to another of Windows 10.

Now I can’t get any browser to reach any Microsoft domain site or page. They are all specifically blocked, along with a few fairly random other sites. Chrome can’t get there, IE can’t get there and Edge can’t get there.

I thought the Windows Anniversary update was 1607 and the last November updates you were having us stick with until the AU got fixed was the 1511.

Your post only mentionos windows versions I am not familiar with. Did you put in the wrong numbers? You write
“so those of you with the Win10 Fall Update (version 1507 – type winver in the Cortana search box) are better off sticking with it. I continue to recommend that you stick with Win10 Fall Update by blocking the upgrade to version 1611.

What is fall update version 1507 and what is the upgrade to block 1611?

If I am reading this all wrong, what do those of us with the version you have told us to stick with Win 10 1511 do?

Whoo boy, now I am confused! Winver tells me I am on version 1607 (OS build 14393.222), but you are telling me that should be version 1611. Please help this old dummy! (I must be getting too old for this crap)

MS-DEFCON 3 is OK with one exception I would say. This is the MSE 4.10.205 release which is unclear still and I think we will see some clarification soon, probably next Tuesday. Those who installed it should leave it alone, but those who didn’t. should wait a little bit longer. Some MSE engine upgrades proved unreliable after one month or a bit longer and any old engine is fully working and taking the same definitions.

Thank you Woody. In more ways than I can count. You are a beacon of light in a dark and confusing forest.

FYI, my 150 clients have all completed the September updates just as you described, which by the way is the way we have been doing it for a year now.

This time we did something extra. We disabled the Windows Update service just to add an additional road block to MS trying to convert our machines.

I have told them that it is quite possible if not likely we will be in what you describe as group W for the forseeable future. I fervently hope we can find a practical way to do security only updating and then be in group B.

On the snooping issue, one really important difference you must keep in mind is that Google and all the rest are applications we can choose to use or not. Windows is an OS and in reality, we have no choice but to use Windows. Our only choice is whether to succumb to Windows as a Service.

I note today the end of the Microsoft wrist device. I would be very curious to see an assembly of the records of MS products over the decades. I’d bet big the failures far outnumber the successes.

I truly believe Win10 will fail just like Win8 did. It is just a matter of time before a whole bunch of C guys get dumped. Hopefully it will be in the next few years.

I have been a big corp IT guy. I am quite confident that if I had brought a proposal to my bosses to adopt Win10, I would have had a short career.

In my sphere of acquaintances I know of only 2 people who have gone over to Win10 and neither of them are happy about it and feel like they were victimized getting there.

So from my small chunk of the world, Win10 is an utter flop. Most have adopted Apple devices and use their Win7, Vista or XP devices much less than before (which by the way extends the lives of those devices). The winner through the debacles of Win8 and 10 is Apple, not Microsoft.

I’d like to append this comment to my report of a serious problem reaching Microsoft’s sites after the Sept Win 10 Pro updates.

Changing to OpenDNS and restarting (warm restart) seems to allow access to the blocked sites. This is definitely a buggy patch somewhere, but it only seems to affect the default AT&T U-Verse DNS service. Maybe others, but that’s what I have.

So I’m back in business, and with a better DNS service than before. but that’s no thanks to Microsoft!

I have kept my system up to date except for a few updates that I have hidden: 3 snoopers and 2 that produce the black screen of death. MS has no solution for either of the BkSODs.

I assumed the rollups that came down starting in July 2016 included all the updates that I currently have so I need not install them. Though this is somewhat unclear.

I will be a definite Group B because of those 2 toxic updates. MS will eventually package them both into one of the monthly cumulative rollups and I will get stuck at that month with no path forward. If I go with the security bundles only (non-cumulative) I have that path forward.

Humble apologies, but I rashly went ahead and installed the Security Updates on two Win7 computers earlier today. The search for available updates took about seven minutes each time. In the recommended group I was presented with only one non-security update (both machines), KB3182203, which I rejected because I don’t know what it is.

I also installed a few Optional updates that have been repeatedly offered as applicable to specific hardware on my computers, and unchecked all the regular bad boys like KB2952664.

Goodbye, Windows Update. Can’t say it’s been fun, but your replacement will probably be even less convenient and transparent.

Hi Woody,
I have a question about the hotfix for IE11 KB3192665 referenced in your post of 9/26/16. I am running Win 7×64 Home Premium. Apparently this fix is only available on Microsoft Update Catalog. Do we need to download this? It’s not mentioned in your updated DEFCON3 instructions. Thank you for your help.

This raises the point that the only change coming this month relates to the actual Windows OS updates as opposed to all the other updates covering e.g. IE, .Net Framework, Office and the WU client etc. which are unaffected and will be offered separately as usual, at least for now. I don’t believe this point is being clearly made in relation to the selection of Group A, B or W, or indeed in relation to the overall discussion of the updating change generally. A lot of sites are talking as if there’s only going to be one update each month which is certainly not my understanding at all.

So far as the Reliability Rollup for .Net Framework is concerned, it doesn’t add anything new so that if you have always installed the individual .Net Framework updates when offered there would appear to be no need for the current Rollup one to be installed. As it is a non-security and unchecked optional update it would not previously, I assume, have fitted Woody’s normal criteria for installation although he will doubtless correct me if that’s not the case.

With regard to KB3184143 which is stated to remove the W10 upgrade offer, I’m taking the view that as I studiously avoided installing all upgrade nagware (and still have GWX Control Panel running as I don’t trust MS any more and it doesn’t seem to do any harm or use resources), I have no need for this update. Again, Woody will doubtless advise if he feels differently.

I therefore have both updates hidden unless and until the advice is to install them.

You’re absolutely right. We have no idea what this month’s Patch Tuesday will look like, but it almost certainly will contain a hodge podge of patches for .NET, for IE, and heaven only knows what else. I’m hoping the Catalog gets pull out of the 19th century before we have to start using it.

I think you’ve diagnosed both the .NET Framework rollup and 3184143 correctly, but for those who expect to continue in Group A, they wouldn’t hurt.

Woody I just installed KB3179930 the .NET framework reliability roll up. First it failed to download and on retry it said it successfully downloaded/installed. Called for reboot and now my screen is stuck at preparing to configure Windows Do Not turn off computer for last 10 min or so..I need help.

Woody: Today after running Windows Update in the manner you suggested and installing a number of updates under the “Important” button there are four updates remaining there: one for Skype, one for Bing Bar, and one for Silverlight, none of which I use, and a fourth update KB3182203, the Novosibirsk time zone change for Windows. Under the “Optional” button there are thirty-one updates, mostly recommended and optional updates for Windows.

For those in Group A is there an advantage to installing, with the exceptions you noted, most of the updates under the “Optional” button versus simply waiting for the giant blob patch coming net week that will presumably include all of these individual patches?

And more specifically, will these individual patches disappear when the giant blob patch arrives or will both be available through Windows Update?

Hi Woody, with GWX “swept away”, do you think there’s any need to keep GWX Control Panel operating? I was thinking that even if MS seeks again to force a shift to Win10, it would not use the same vectors and therefore GWX CP may be redundant.
I’ll point out here that with Win7 Enterprise on my machine I was never eligible for the free upgrade – yet that did not stop me from being hounded by the MS nagging!

I thought I posted this comment before but I guess I didn’t.
I have a number of pending updates to my Win7 x64 system and a pending .net framework update.
I don’t know whether I should download any of these.
Any suggestions?

Hi Woody, well I thought I had downloaded and installed the .NET framework rollup for Win7 but it was the IE11 Cumulative Patch that failed first and then installed but took an 1 hour for windows to finish 3 stages of configuration. Never had that problem before with IE11 cumulative patch. So KB I installed was 318319 Not KB3179930. Sorry for confusion…I was trying to go off memory but I guess it’s not very bright at the moment. A view of installed updates in Control Panel shows it installed but don’t know if it installed properly. Not sure how I check for that. Is there a “sfc/verify only”scan and if so is this proper command?

Squarely in that camp. I’ve been in IT (operating systems, primarily) for over 2 decades, and I haven’t seen a mess like Windows 10 (and after Windows ME and Vista, that’s saying something).
These days I run IT in a small local govt agency, with staff that are primarily more, shall we say, tech ignorant (elder generation and primarily people who barely use word processors). If we had gone storming headlong into Windows 10, it would have been a disaster.

“You used to get the line at the top that said images were not displayed due to privacy and it had the ability to download the images. Lately that option is often not available and the only option is to view in a browser, a solution I do not like.”

Add an exclusion for the user or the full domain as the case may be under Junk. Right-click the message and under Junk set Never block…

Last question, I promise. I’m in Group A, have Recommended Updates checked so they appear with Security Updates. Then I have 4 Optional updates for September, one of which is the .NET framework reliability rollup for Win7 its big(60.9MB) KB3179930. They are not italicized and are all unchecked. Do I check those Optionals and install them as part of Group A or put on hold for now? I thought I saw a thread on this website that indicated some issues with .NET framework but not certain if okay to install since it came as Optional this month vs. Important update as in previous months.

I worked ALL DAY (12 hours so far and going strong) on my Win 8.1 workstation (uptime 31 days) and my Win 7-powered small business server (53 days uptime at the moment) doing ALL KINDS of work, running my small business, developing and testing software, supporting customers, collaborating with my engineers and testers, managing ecommerce, doing some accounting, developing an automated customer service system, playing Pandora… Hell, I even got a software release out the door.

No worries about updates, no distractions from what I needed to do.

*IT* just worked, so *I* just worked.

When you have a day where it’s all about what YOU need/want to do, then you realize what just we’re losing with all this modern BS from Microsoft.

That’s an interesting one, especially that Woody has seen it reported elsewhere. Do you have any additional security software installed, third-party firewall, antivirus, other security suites?
Also try https instead of http on any Microsoft site which does not respond.

I think it appeared as Important according to most reports here.
I am testing on the enterprise versions, however if Microsoft does not clear this issue in few days on the minor Patch Tuesday October 4, I will do the test with MSE on a VM to see what is going on.

Woody,
One of the Optionals KB3185278 is the September Rollup for Win 7 SP1 (60.2MB). So you are saying that MS will likely roll this into their October cumulative rollup next month and Group A people will absorb it at some point in time? At this time it isn’t listed as Important or Recommended and is listed as Optional and not checked along with the other Optionals (not checked) for .NET framework rollup and SFC Scan correction, etc. I agree with you I don’t want to be a beta tester for MS.

I’ve gone ahead and done most of the security updates for September. However, while reviewing each of them I saw that kb31475024 lists 2 known issues. Really? Fix and f*&$#p ….
Anyone have info on KB3175024? I’m not sure it’s even something I use.

As updating goes, I was in group W with XP for a long time, and it worked out fine. I’m almost ready to eschew the whole update quagmire. Shove a bun…

Leave it for longer. If you have another computer in the same network, I can tell you how to resolve it. Otherwise, just force shut down. It is the Trusted Installer, everything else is closed and you will not lose anything.

It is more of a perception of not feeling right than IE being buggy. I support IE in Enterprise and I can tell you that IE is a good browser. But it require a lot of effort to make it behave, it is far more complex than it should be. I see it only too complex, not less secure than the other browsers.
For the sake of simplicity and feeling well, just use Firefox. Or if you wish, use Chrome.

I’ve tried to find the relevant post but haven’t been able to. My question is I have 3 Update Rollups
sitting in Optional………. July, August and now September……. is it important to install them and do I need to install all of them. Think I read somewhere that yes one needs to install each one if one is going to do so.
Also think it was ch100 who made a comment that if an optional patch is not installed the first time round, and if it is changed by MS it’s offered as Recommended the next month. I am in Group B and know that you, Woody say don’t install anything which isn’t checked,
and originally that’s what I have been doing, and of course the July Rollup had the dodgy Intel/bluetooth problem…. which I’m not sure is even fixed yet.
My main reason for being in Group B is to stop the snooping and also to avoid dodgy patches.

But in optional I have the 2 Windows Journal patches, the 3 rollups, SFC integrity one, Remove GWX, and Silverlight……… which I actually hid after I had uninstalled the Silverlight programme…….. and it re-appeared again.
With regard to the GWX one…….. I’ve been using
GWX Control Panel (Josh’s one) and believe this removed all the GWX junk from my machine….. so is installing the gwx patch anygood/worth it or is it going to put something else on my machine that would be suspicious ??
What would be your take on these optional patches?
Should they be avoided? Sorry to belabour the point…… but my head is beginning to spin!!
Thanks again for all you do for us!!! LT

I tend to avoid adding unnecessary updates. Do you recommend the monitor keyboard and mouse optional updates? Occasionally I have had to replug my usb mouse and keyboard when they have stopped working.
I have cleaned out the problem/spying updates you advise against and have these left to consider. I am wondering about the cumulative updates especially.
Reliability Rollup for Microsoft .NET Framework (KB3179930)
(KB3133977)
(KB3137061)
(KB3138378)
(KB3138901)
(KB3140245)
(KB3147071)
(KB3161102)
(KB3170735)
(KB3172605)
(KB3179573)
(KB3181988)
(KB3184143)
(KB3185278)
Thanks.

Monitor, keyboard and mouse updates are all driver updates – and I emphatically do NOT recommend that you install the versions that Microsoft offers. If you have problems, work with the drivers from the folks who make the products.

I avoid long lists of “bad” updates. Consider the amount of work it would take to vet any single list of updates – and who’s to say they’re bad? Badness is in the eye of the beholder. At this point, I strongly suggest you follow the instructions in the article and not worry about the rest.

Woody, has anyone else reporting their updates not downloading or installing lately?

On the 2nd of October I installed the definition updates to Windows Defender and the September 2016 Malicious Removal Tool.

I only installed these 2 while I was trying to sort out which updates from security or optional I was gonna let install. After I have hidden the updates that had a chance to bork my OS, I was left with 6 updates to install. It won’t download them. It’s stuck at Downloading 0%.

What the hell could they have messed up with the defender definitions or the malicious removal tool? Everything was fine before I installed these so I’m guessing they are the culprits.

Did a couple of updates this am and all seems to be ok so far. Still have some outstanding ones. I would be in the Group B camp, not because of snooping but because of reliability. Also if have declined an update for a particular reason, and then it is in the roll up I didnt need to hide it in the first place??
Also if MS sends an update that breaks something, then I dont know how to fix it. Woodys advice has been helpful to me in this matter. Wouldnt it be nice if MS changed their mind and kept updates for W7
as it is. But sure the little people dont matter.

Oops further to my last post. KB 3175024 was installed this am. Then lot of funny script on my Google homepage. Uninstalled and its gone. This is why I do individually so I know which one is at fault. Hope this help.

I haven’t received ANY updates since Sept. 20th (Optionals), except for new definition updates. Should I try to do a scan to find out why? Usually everything just appears. Still do not have KB3177467. Nothing “new”.

I thought that the MSRT was ALWAYS safe (????). I installed mine Sept. 16th.

Where do I go from here?? This is going to be a “crazy time” the way it appears. Thanks for your help.

Back again. Reinstalled KB 3175024 same funny things on google homepage. Decided to leave and see what happens. After two or three openings it seems as if all is ok. Sorry for the confusion. At the moment it is installed and home page seems ok. of course this might change again and if it does I will uninstall again.

@LT It seems to be confirmed at this stage that many of the patches released initially as Optional are moved later into a different category. The declared purpose of telemetry is for Microsoft to do statistical monitoring of various counters in Windows and usage patterns and to determine where the product may be tuned.
Please follow Woody’s instructions by not installing anything which is unchecked, unless you wish to become one of Microsoft’s unpaid beta testers for fun like some of us do.

@Woody: Haven’t see any reference to the IE update from Sept. 13th (KB3185319)which had warnings that there were serious problems with it. Nothing subsequent to that warning. Is it still “unsafe” to install that one?

Thought there would be new information on it by now??? (52.1 MB) It’s still sitting in the “Important Updates”. Need guidance on where this one stands, please?? Thank you.

I found KB3175024 problematic. As I do run EMET in my business, I followed the workaround recommendation in the documentation using group policy.

Unfortunately KB3175024 just produces a black screen on our systems. The error code produced indicates that the user refused the update after the restart was requested. That actually means that the user had to reboot out of the black screen (as there is nothing else a user can do when this happens).

The MS documentation is only partially correct.

You have to uninstall EMET, then install KB3175024. I think the September rollup has the same issue with EMET. Re-install EMET after these updates are configured THEN apply the workaround.

I just noticed a typo in your write-up regarding the bad MSE patch to avoid: it is KB3193414 and not KB3194314. I can imagine it is a nightmare to keep all these numbers straight – there seems to be no system at all.

Anyway, thanks for keeping a watchful eye on this for us all. It is a great help indeed.

@WOODY Just started Win 7 SP 1 Home Premium update to see what happens. Set the update to “check for updates but let me choose whether to download and install”. I hope that I ‘have all my ducks in a row’. You mentioned about foreign country updates and I would not like anything like that on my computer. Those update would boost my OS at all. Any suggestions? Probably going with Group B.

“Then on the left, click Optional, and uncheck Silverlight and Skype, uncheck any drivers – see below – and uncheck any language packs.”

Woody, I have two questions regarding that sentence:

1st – I have one update for Silverlight (KB3182373) which is flagged as “important”, so according to you it should be installed, despite being an Silverlight update because it is in the Important tab, not on the Optional tab. Is this correct?

2nd – On the Optional tab, every update is unchecked, so besides Silverlight and Skype, any other update under this tab should be checked and installed?

The “it just works” ideal can actually be accomplished with a tweaked, augmented Windows 8.1 or 7 system, and you can have a really smart and powerful desktop.

Where the rubber meets the road the business world has not been stupid in hoisting [older versions of] Windows to the top. But unfortunately we now seem so far from that serious business focus with Windows 10 that people wonder out loud whether a productive day can only be had with a touchy feely Mac. It’s sad, really.

@ch100: I do not have MSE, and when there are references to that, I cannot correlate it with my “just plain” Win 7 Home Premium, 64 bit. Thank you for all of the helpful information which you post here – – – Your hard work is most appreciated.

Unless you absolutely need to use Silverlight, you can uncheck Silverlight, even on the Important tab. Very few people need Silverlight – it’s mostly for companies that were bamboozled into developing their own Silverlight applications a decade ago.

Tough decision and, sad to say, it’s one you’ll have to come to based on how you feel about patching and Microsoft.

The “foreign country updates” are mostly about time zone changes and occasionally adding a currency symbol. They’re almost always entirely optional, and not worth worrying about – unless we get hit with a big one like the Ruble debacle a year ago.

If you followed the instructions and “Give me recommended updates the same way I receive important updates” is turned On, Windows Update will automatically check all of the updates that you need to install.

Am I right in thinking that backup imaging is really dependent on having your hard drive partitioned so the OS can be backed up without having the whole drive cloned? Time-wise that would seem to be the case, but I wouldn’t be surprised if most “average” users – myself included – just had a single hard drive with no partitioning because that’s the way the “average” computer is supplied.

All plain sailing on one of my W7 x64 Home Edition home computers, but my other one gave me some issues that are now hopefully resolved satisfactorily. I always do them a couple of days apart so I always know one is working ok!

I installed both the IE update and the speed-up one (3185911) ok, but although 3175024, 3177186, and 3184122 (eventually) downloaded and installed ok as a batch the computer stuck on configuring them before rebooting and after an hour rebooted to report they had all failed.

I then managed to install each of them separately without delays or problems. I haven’t so far bothered with the time zone one (3182203) or the MSE engine update (3193414).

I found that using a smaller (<100 GB) partition for the C drive and the remainder of the disk as a data partition for D drive is more convenient if the disk is large enough.
There is debate about the disk access speed which is reduced in such a setup as the controller has to access the same disk twice as much when accessing both partitions at the same time. It is all a matter of balance between performance and convenience.
On the D drive I created another empty folder named Users with the same permissions like the one on the C drive.
Under C:Users go to each system folder except for AppData and change the location under Properties for each, replacing C with D. Allow the system to create the new system folders (Documents, Music, Videos, Favorites, Contacts etc. – 11 in total or less according to preference) and move the files.
It is supported if the whole profile is not moved and it uses built-in tools and there is no registry configuration required.
Do not move the built-in Administrator, the one named Administrator. That one is better left alone where it is and that user only used strictly for Administrative tasks if it is enabled.
The setup is suitable only for stand-alone machines and not suitable for domain joined machines where there are better solutions addressing the same issue, i.e Folder Redirection using Group Policy of the same folders on the network and maybe Offline Files. I have reservations about using Offline Files, but some people report success using it.
It may be too complex for some, require a bit of practice to get it right, but it may be worth it, depending on individual requirements and preference.
There is no right or wrong way, only be aware that added complexity require a bit of skill to keep it right and reliable.

It is certainly cleaner, only that a 100 GB partition image is much easier to take if this procedure is used as regular routine before updates (I don’t do backups regularly, which is bad practice) and store that let’s say 1000 GB disk image.

The .NET 4.5.x/4.6.x is a bundle of 2 rollups of the previous patches. No urgency in installing it, especially if it comes unchecked and Optional. It will become mainstream one day. There are still issues with the naming which are confusing and it may be reviewed again. It was already reviewed at least once since it was released.

Alert! Guess what old uninvited guest appeared today? Our old nemesis KB2952664, the evil harbinger of GWX. On Win7-64 Pro it is shown as optional. Hidden again.

If GWX is done, why do they need it? I suspect GWX_v2, but with less subterfuge or malware-like behaviors, will be offered to “rescue” worn-down Win7 and 8.1 owners from the MS-caused update and patching hell.

If you think these ‘bad actor’ updates will be phased in forget it. Group A will get it on month 1.

To be honest, I’m sceptical about the wisdom of my backing things up, partly because I don’t have anything that needs backing up in terms of documentation or game saves etc, all that matters is either duplicated on another computer or saved in the cloud through e.g. Steam anyway. In that sense I suppose my twin computer/cloud approach (the computers are not linked but emails together with important documents go to both machines) is its own backup. What I can’t do is restore a machine (outside of System Restore) if one of the computers fails for any reason.

The main reason for me to consider backups is this whole Windows Updates malarkey. However, with two computers to safeguard and about 2TB of data in all I wonder whether the time spent backing them up is worthwhile compared to the time spent in fixing the occasional hiccup, not least when a backup image is of no use whatsoever unless you check from time to time that restoring it actually works, and if there should be a test run when it doesn’t work then you’re screwed anyway!

I’ve also looked at a couple of guides to running backup imaging software and found them mightily confusing to a simple retired soul such as myself :)!

All that said, however, the forthcoming change to WU does give one food for thought so far as backing up is concerned.

I just realized that I did not have the box checked next to “Give me recommended updates the same way I receive important updates.” Rerunning Windows Update with that box checked I noticed that KB2952664 appears under both the “Important” tab and the “Optional” tab of Windows Update. The brief description under the “Important” tab indicates the update was published on July 12, 2016 whereas under the “Optional” tab the stated publication is today. Clicking the “More information” button on either description takes the user to the same KB article dated July 12, 2016 revision 24.0.

I just did this on Friday. I did a complete backup. I created an Easy transfer file. I re-loaded Windows 7 on my computer from an image I created at the beginning of the year (3 DVD +Rs). That image includes Windows and all its updates to that date plus MS office 2010 and all its updates and a few other stable programs (ones that rarely change).

Then I did a full update of Windows and Office. Defrag, chkdsk, clean up.

Then a system image that took up 3 +R DVDs. This is my image that will enable me to go back to Windows 7 pre the October update tragedy to come.

Then of course, used the easy transfer to put everything back the way it was.

Then I took out my backup computer and repeated the procedure but used the image from the main.

Well… The sad part is that I already have it installed… Along with KB3150513…

I just checked and they were both installed a long time ago, before I came across this lifesaving blog of yours… And I had no idea…

Guess I’m being snooped… And the worst part is that Windows Update is so broken that I’m afraid of removing them both and screwing my system…

And for the sake of knowledge I’ve searched KB2952664 and found it had a lot of new files since it’s original push, so it has been updated, can’t tell when or how many times, but it has been refurbished and could be probably been pushed once again as KB3172605 was this month… So people be aware!

Haven’t gotten any updates EXCEPT: KB2952664 twice; 1st as Optional 4.7-4.8 MB (this morning) I hide it. Then at 4pm EDT I got this again (KB2952664) as recommended and I have now hidden it again. When to MS Windows site and this is an “update to upgrade windows 7”. Sounds like every body else is getting regular updating. Any ideas?

1. I have been searching for Win 10 version 1511 updates, and anything else that should have come down the MS Update line today for MS office or other, and nothing is showing up.

It is past 6 PM EDST, or after 3PM Redmond time. Is something amiss?

Should I be seeing some updates?

2. Interestingly enough, for my win 10 version 1511 I had KB3150513 hidden, although it was showing up with Noel’s C tool, and the metered connection as being ready to download for several weeks. I find that it being hidden and ready to download a bit strange.

When I turned off the metered connection last night, it downloaded even though it was still hidden–very weird.

This is a great posting thread. A question for the experts who are on this thread. I have used older ‘cloning’ software, but it is obvious there is now better and easier to use software and routes. I admit in the past the scenario of the OS changing its behavior upon a reinstall was not considered. If this is not appropriate for this thread, I will understand.

Do you use the Win7 tool “Create a System Image” or something like Acronis or Macrium Reflect, etc. to do a complete disk image?

With 1TB disks so cheap, I was thinking of doing a clone of the Disk 0 my C: drive lives on. It is a 1TB WD HDD that is partitioned as C:, D:, and the System Reserved partition.

C: is the standard Win OS and data; D: is a working directory for image and video manipulation, and to build archive sets for transfer to removable HDDs, but is not used for actual storage and is not critical to retain on the same physical disk as the OS/Boot.

Will the “Create a System Image” copy the entire Disk 0 and all its partitions or just the C: partition? Is the System Reserved copied?

Is it possible to just copy the C: and System Reserved to a smaller drive?

An adjunct to this question is also to facilitate a migration to as 512GB SSD as the C: boot drive/system reserved.

In the SSD scenario, I would have my data folders (libraries) on a separate HDD.

I forgot to mention my computer is Windows 7 SP1 Home Premium, 64 bit Windows Server 2008 R2.
I believe I will be Group B.
I did download Canadian Tech’s update fix directions yesterday. kb3172605 and kb3020369.
Hoping I won’t need the “magic” patch anymore.

It is also more far more convenient which is why Unix did it by defeat all the way back in System V. By having a separate system partition it means when it comes time to install a new OS it doesn’t have user data fragmented in with the OS thus the installer can just reformat / and install without disturbing user data.

To me Windows putting moving user data to a second partition by default is just another way Windows is behind the times compared to Linux and BSD.

There is nothing other than KB2952664 as Optional. You should have 2 of those now. One Recommended and one Optional. Do not install any of them unless you plan to upgrade to Windows 10 🙂
Try not to hide updates, to allow Windows Update to manage them when they are expired. It is bad practice to hide updates in the long term and useful only if you have Auto Updates, but nobody reading this site should have Auto Updates turned on.
There are also Office Important Updates, unchecked too. Do not install until they get checked from the source.
Note: I think the WU common behaviour for the last few months has been that the Office Updates coming first Patch Tuesday of the month are checked for Windows 10 and unchecked for all other OSes by default.

They still hope that some people will upgrade in place to Windows 10 one day, some of those who reserved a copy during the first year and some who are new paying customers. For those users, KB2952664 is supposed to be useful in assessing the compatibility of the applications already installed. I think this patch acts more like a definition update for new compatibility issues discovered either by Microsoft testing directly or by snooping on people’s computers for potential problems.

KB3172605 was re-released on September 12, 2016 and contains the updated Windows Update Agent – version 7.6.7601.23453 that permanently resolves the long & slow WU scan problem AND does not depend on any “magical” & newest WIN32K.SYS updates.

There is a new version of KB2952664. I don’t follow Windows 8.* so I am not aware of the other patch.
Article ID: 2952664 – Last Review: 10/04/2016 17:25:00 – Revision: 25.0
There are recent files from September 9 and 12 in the patch.

This is one of the “special” Enterprise versions getting only security updates. It is supposed to be released separately when a new major “feature upgrade” for CB and CBB is released. Edge is not working as far as I know and the first release LTSB 2015 was hardly functional compared to the other versions.
You can obtain a more functional version by using one of the mainstream editions (Enterprise or Education preferred, but Pro is OK for most purposes) and removing all Universal Apps with PowerShell.

Many thanks Woody and ch100….. your thoughts are v. much appreciated. Re Telemetry if that is all MS are harvesting …. it would be quite benign…… but I feel there’s more to it…….. and so Telemetry has become to me a ‘dirty’ word! I guess what you were quoting, ch100, was perhaps the ‘official’ line from MS. And as Woody has so often said…… if only MS would be more transparent about all this …. it might put these anxieties to rest.
Although did read somewhere that the hesitation in communication is really about not letting on to the ‘hackers/scammers/etc.’ what exactly is behind MS’s motives.
I’ve updated both our machines this afternoon with only the security patches and the timezone one. The optionals are still sitting there……… and I noticed that good old 2952664 has been added!
So GWX Control Panel stays incase MS plans something in the future… LT

To acquire knowledge, one must study,
but to acquire wisdom, one must observe
~ marilyn vos Savant

Windows has a System Partition (the names are messed up as it is in fact a Boot Partition) while the one named Boot Partition – the C drive – is the true System Partition).
We discuss here other partitions than those created for boot purpose, like UEFI partitions or manufacturer’s restore partition.

For Windows purpose only and if not using the built-in encryption BitLocker, it is normal to install Windows in the old style without the separate boot partition. There is no advantage in having a separate partition with MBR except for being a condition to use BitLocker.

Let’s not forget the real possibility of SSD’s getting damaged. This is my main concern in relation to loss of data and the danger is far bigger than with mechanical disks which are still recoverable to a certain extent even if they get mechanically damaged and the importance of data is worth the trouble.

Each software is different and needs to be understood in detail when it comes to disk/partition imaging.
There is no one fit all solution to your enquiries.
In principle you should backup partitions and only rarely disks. Generally restoring disks involve identical size restore, while partitions restore allow more flexibility.

That is their intent, yes, though they’re not specific to group W. In fact, I need to do a some updating to the content (thanks for reminding me) as they don’t take into account Microsoft’s latest moves and still recommend applying updates. But pretty much all my Windows tweaks and suggestions for 3rd party software are in there. The reason I wrote them is that I needed to capture what it is we do here in my company to reliably and quickly get to an “it just works” state so as to be and stay productive.

Hurricane Matthew is bearing down upon us, and I fear power failures are likely to break my long uptime trends, darn it. I have UPS power, but the batteries are necessarily limited and hours-long power outages will certainly mean shutting down the systems.

What has always bugged me is, why can’t the whole user folder be moved as a single entity, instead of Documents, Downloads, etc. separately? There are some (many, I think) programs that keep settings in that Users folder, but not in one of the movable locations, so they are stuck on C:. And what about AppData itself? Of all the things that I would want to move to another partition, that is at the top of the list. Is there a compelling reason for it to be where it is?

The final size depends on the components already on the system. It is likely that few components are shared with other patches which may or may not be already installed.
This patch KB2952664 we have already reached almost consensus here that it serves no other purpose than to facilitate the upgrade to windows 10 and if you don’t have any intention to upgrade in the near future, it may be better to avoid it.

On the instructions for download and install of the evaluation, it says after the 90-day period expires, if you haven’t activated, it “will shut down every hour.” I’m finding that hard to believe. Just a scarecrow? [Not a very good one if it is, since very few people bother to read the terms and conditions. A scarecrow in camouflage – that does sound like something MS would come up with.]

It can be moved by manipulated the Registry. I used it for a while, but according to Microsoft there is big potential for trouble and it is not supported. One such instance is when you need to do an upgrade in repair mode.
AppData is “special”. Everyone has an opinion about it. It contains application settings and not user data like the other system folders.
If you want to read about user profiles in depth, read it here https://helgeklein.com/blog/
Helge Klein is the author of the Citrix User Profile Manager software and is the absolute authority worldwide in this matter.
Probably AppData can be moved locally though. It is all about a lot of traffic generated by software reading and writing in this folder and there are issues when this folder is redirected over the network.

LTSB is a special version of Windows 10 for Enterprise users with security updates and NO feature upgrades.

I have a copy of Windows 10 LTSB 2015 (Version 1507) installed on one of my computers just to see what it is. I occasionally boot into it to see if it still works and conduct tests. Otherwise I almost never use it on that computer as I usually boot Windows 7 Enterprise on that computer for use.

But it is the version I will use if I am compelled to use Windows 10 in the future. (I hope not, haha.) No Cortana, no Windows Store, no Edge, no feature upgrades during support period (until 2025), suit me fine. This “hardly functional” version is the “best” version of Windows 10 IMHO.

I’m not tech savy by any stretch of the imagination, and it took a little bit of time, but I did manage to find out what my Windows Update Agent version was and it is 7.6.7601.23453.
Thanks for the info EP

Woody
2 of my computers updated yesterday no problems but a 3rd one, windows7
Is still downloading at 0% since yesterday afternoon. Funny thing the dates shown for patches are all Sept 13 but the last time the computer says it checked was 11Sept. This laptop is not turned on everyday. So what do it do to make it download the desired patches? And computer geek I am not so simplest is bestest. And for now I am in group B. Thank you.

After using wushowhide during mid-Sept. on Win 10 Pro, I ran into this issue.

Looked into Updates History and found the blocked updates were listed as Failed to Install in mid-Sept. when I did a run just for Flash Player ofr IE and Edge.

I had to run the Microsoft tools and a batch file to reset Windows Update. Then restart with a full shutdown (temporarily disabled fast startup). The wushowhide and regular Windows Update checks then showed all the previously blocked updates. I unhid all relevant updates except the Anniversary Update, and turned off Metered Connection and let ‘er rip. It took forever due to a DNS Lookup issue, but eventually I got everything downloaded and installed.

Safe for another month (phew!).

Don’t know whether this helps in your case, but this happened to me on two PCs.

“That may sound horrible, but realize that you’re being snooped upon all the time, with your search engine (except for duckduckgo and a handful of others), your email provider if you have a free account, your browser (opinions vary as to the extent of the snooping…”

I know its difficult to prevent all snooping unless you live under a rock but you can limit it’s impact. I do use Firefox with duckduckgo and https everywhere from eff. I also got rid of my verizon email and found a great free email called protonmail. This email server was created by MIT students because of there concern over this:

For this email, you need to use a password to get to it and then a separate password that unencrypts the email. The encryption is not stored on their server so they could not unencrypt it if they wanted to. Plus Swiss laws no not allow governments to request the server information to be turned over like our laws do.

With 2TB of data, separating data from the OS may be a good idea. This makes the data capable of being backed up more frequently as new files are added and old ones are changed. Windows 8, 8.1 and 10 have File History which works well for many folks in this situation. You have continuous backup and except for a ransomware lockup, very little can happen which would result in non-recoverable data loss. And File History is reasonably easy to set up and use — it’s mostly set and forget, which is good for most folks.

System Images are most useful for those of us who customize Windows and use a lot of tweaking utilities, or who generate very little new user data each month. Or like me, who dual-boot or use Virtual Machines. Not your average Windows 10 user (or even Windows 7 user).

For everyone else, File History combined with knowing how to Reset or Reinstall Windows is a perfectly good alternative. It takes some time to let a Reset or a Reinstall go through, but with all your data safely segregated from an OS disaster and backed up automatically, you need not fear the Reset option.

At least if you haven’t customized your Windows too much. Which most non-technical users won’t bother to do. Maybe you haven’t used all-defaults, but if you keep minimal notes of necessary or desired changes, you can get back up and running pretty quickly. And you will be sure your system is up to date and clean.

Not to brag, and this isn’t the right solution for everyone, but I just did all my backups and all my updates and then did a new backup image for three PCs, using Macrium Reflect Free and a trio of external hard drives, in about the same time frame. As long as there are multiple copies in several locations, I figure the chances of everything becoming unusable are pretty slim.

My Linux gets backed up just by running CloneZilla Live to an external drive, then copying the results to two other drives. All told, less than an hour of my time and effort. (But this is all Commmand Line and bootable medis, so one does have to learn the procedure once.)

There are issues with internal Widnows Shortcuts, known technically as Symbolic Links or SymLinks. These are everywhere in Widnows, not just in Libraries. This is one of many sources of troubles with this older approach to data segregation. Most modern programs are also full of internal links which complicates things even further. File History also uses SymLinks.

For SSDs, you can still do Partitions and Partition Backups. At least you can do so with Macrium Reflect Free, which is the one program I know pretty well. This program (and many others) is not bothered by UEFI or Windows Fast Startup or GTP/GUID disk structures. The program is fairly simpleto learn and is presented in a clear GUI format.

My point is, yes, cloning works well in some situations, but partition imaging is reliable, fast and once learned, fairly automatic.

I have both mechanical hard drives and an SSD which I back up each month or even more frequently if I’m making big system changes. The whole process per PC with SSD and fast internal hardware (and SuperSpeed USB 3 ports) can take as little as ten minutes. Including verifying the image created on the external drive.

For data only, File History is even easier and quicker — in fact, it’s almost continuous.

These are not the only solutions, and they don’t cover every possible situation. But I cringe to read thatsome people are over-thinking something which can for most folks be so simple and automatic as image backups and File History.

Plus-One for Macrium Reflect Free. WinPE is defintiely the way to go, although there is also a simple Restore Envrionment which is the Linux version and boots and runs faster. Both options are included once you do the large donwload for the initial WinPE setup. There’s even a Boot Menu option for use when Windows can start up but you can’t get beyond the Splash Screens.

As the Typo King, I hate to do this, but I think you mean Windows 10, version 1511.

I am not sure that wushowhide when used for a prolonged period, might not be messing with the Windows Updates mechanism in Windows 10. Particularly the Update History and logs. My own experiences are incomplete in this area.

And with the Carboni (wushowhide) method, it is possible to get updates tagged as Failed To Install because they were not downloaded but were found to be available in the Windows 10 Updater. Sometimes stuff like this can get Windows Updates confused, and then the Windows Update mechanism may have to be reset, for which purpose there are batch files posted online which work well in most cases.

The idea is to clear the Updates History and Updates Logs of these Failed To Install and other possible errors which may be blocking the display of new available updates.

The other symptom of an issue of this sort would be that updates supposedly previously installed are offered again. I’ve also had that happen.

Wushowhide may not be solely responsible for this situation. But it wouldn’t hurt to do a Windows Updates Troubleshooter diagnostic is this is a persistent problem as it became for me.

Oh, and then there was my experience of a Sept 2016 Win 10 update interacting with my ISP’s DNS Lookup Service and blocking all of Microsoft’s Domain pages and URLs. I still don’t understand what happened there. I simply switched DNS servers to OpenDNS and the problem cleared up, and updates were available again. Weird!

Absolutely agree with ch100. And even with mechanical disks (or any backup media), I personally always assume that when I actually need the most recent backup it will be turn out to be unreadable, so I need another earlier (but still recent) backup on another separate spindle. “The importance of data is worth the trouble” — yes.

The Sept 2016 updates took a long while to install after restart was initiated on all three of my PCs. This is not cause for alarm. It can take up to 20 to 30 minutes on some systems before you can use Windows again. Patience!

Education is OK GPOL works and you can set Telemetry to security only with a combination of settings & GPOL apparently less intrusive than “basic” in privacy settings. Best of all no Cortana, you actually get a full task bar back again. So far so good apps dont seem to crash and are stable, although a bit of a pain to network a printer (it wont look for a driver you have to go find one) Probably the only thing to put folks off is the Edu. title.

Not sure why, but switching my DNS server from the default used by AT&T U-Verse to OpenDNS unblocked the Domain. Something seems very phishy about this, but I can’t put my finger on its exact cause. Could AT&T be violating security protocols required by the Sept MS Updates patches?

But the way the patches figure in is that the DNS seems to have a problem wiht Microsoft Sites which did not exist before the patches were installed. I should not have posted that this might be a bad patch on Micorsoft’s part (although that remians a possibility).

It is becoming evident that the fault is indeed with AT&T’s Default DNS servers. OpenDNS works just fine on these machines.

I don’t have time now to check all the comments that have already been posted for your post (this post).

I read the part about Group B, which I intend to adopt and felt that important info was left out of your post. That is, the “settings” one should set for the Group B folks going forward. How should the B’s set the Windows Update settings? I think my current settings are good for a Group B person.

Settings for Group A and Group B are identical to the settings I’ve long recommended: Auto Update set to “Check but don’t install” or “Never check.” See the Automatic Update tab at the top of this page.

Those in Group A may want to check “Give me recommended updates the same way I receive important updates.” but that isn’t really necessary in advance. And it also isn’t clear exactly how Windows Update will interpret everything starting next week.

Thank you, that is what I felt needed saying for those like myself who is not very into the internals. I hadn’t read all of your post so I missed that you had put into the Group A’s instructions the basic settings which will give the user what is needed. The Group B needed that same thing in their instructions.

@Woody: Thank you very much for the advice on KB3182203. I shall proceed accordingly. I am a potential Group B (Win 7, Home Prem, 64 bit).

I already had a link to Dalai’s site, however I was wondering about the Canadian Tech’s advice, as I see there are a few who are following that.

I did finally find Canadian Tech’s advice, however I am WONDERING if that will take the place of Dalai’s last “Magic Patch”. I have the current update patch which was provided by Dalia however it appears that this last Magic Update patch is only valid until ***October 11th***.

Does this mean that we should use Canadian Tech’s advice now and install KB3172605? This is the new “Optional” one that is not checked, and IS italicized. Don’t know which way to “jump” at this point in time.

Thank you, I’ll have a look as I am indeed curious. I know I understand very little about the complexities of managing large-scale systems, but on a single isolated PC for personal use it seems that there should be an option. Well, as you suggested, the option is there, it’s just not documented or supported.
I guess my opinion of AppData is that it is, unfortunately, a place for anything and everything. I can understand wanting temporary data such as various caches and histories to be hidden away, but actual settings that are meant to persist belong in the category of user data. The problem is that most programs don’t distinguish between the two and stick everything in there (or just as bad – in the Registry) and if I want to back up program settings, I have to go through program by program and find out where each keeps them, some may have an intelligent way of exporting them, others don’t – it’s a lot of trouble for something that could have been very simple.

You have Silverlight under Important because it is a Security patch to the previously installed Silverlight product.
Best option, uninstall Silverlight and you will not need any future patch to it.
Your second best option, only if you need Silverlight, install all updates to Silverlight as they are like Flash patches, trying to fix design flaws on the go by patching often.

Correct, it was an unchecked optional patch.
Will add it to my hidden list.
FYI, the only updates I have done in almost 2 years were only the “critical” patches.
The exception lately are the “magic” patches needed to speed up the update, and just recently the Canadian tech patches.
My hidden list is quite lengthy!!
Thanks Woody!

Has there been even a hint of news about the refurbishing of the update catalog? I know my tinfoil hat will be showing with my next thought but, is it too far out in left field to imagine M$ dragging their feet simply because people don’t want their shiny new system? I know I’m probably completely wrong, but with the stories that come out almost daily about the way tech companies operate nowadays, nothing would really surprise me anymore.

@Woody: Thank you for the information, however I don’t know what the difference would be between Group A and Group B, as referenced in Canadian Tech’s directions.

I would be Group B, and would like to ensure that I’m doing this correctly.

Following your Group B directions (as posted on October 3rd) appears to be very clear, however I don’t know what relationship it has to Canadian Tech’s directions about installing a “forever Patch” which will supposedly be the “one” which will fix the problems with the “slower than slow” updates permanently (?).

The only question which I would like to verify is: 1. Start Windows: Change the setting to NEVER Check for Updates. Close Win Update Window. “Some members recommend you return the setting to whatever it was you used before the operation, after you complete Windows Update”. This would be AFTER the manual DL, stopping Win Update, and then installing (?). I’m only referring to the 1 update (KB3172605).

I’m rather insecure about “trying” this maneuver however, if I don’t try it, there may be the problem of having the “never-ending search” for updates once again.

Have you recommended that most users, utilize the Canadian Tech’s information, or is there a REMOTE chance that we’ve seen the end of the “never-ending search for updates” at last?

Probably a foolish question, however, if I could avoid anymore problems I would be in “7th Heaven”. Thank you once again for your help. I don’t now how you keep up with it all. You are amazing, and appreciated by all of us! 🙂

well i had this link kicking around for a while i wasnt going to post it as it contians a lot of blurb basically lots info about what the average user can already figure out and tinkering with the resistry which i dont advocate really. you probably have this ch100 but it may be of use to some folks.

True Group A should not have any issue.
I expect that true Group B should not have issues, as the speedup patches are all Security patches affecting supersedence and the other relevant one for Windows Update agent KB3138612 is an Important Update.
The better agent included in KB3172605 is not part of Group B style of patching as at the time of this post, before October 2016 patches. I still believe that KB3138612 is good enough for most purposes, but time will tell. We may find KB3172605 being promoted as Important and then the issue is completely sorted.
Be aware, if installing KB3172605 as non-important and not all other Recommended patches at least, then you are doing random selection.
Those who selectively install patches based on their own criteria can expect any kind of scanning behaviour, from ideally short to the very long ones.

Have a very long story here about the AU but, will make it short. Somehow it installed on my machine by itself. I had the original Windows 10 and PC had been perfect since Mid June when I had my Best Buy Geek Squad install it. Since this AU installed the only problem I have is with Skype freezing on me and chat messaging coming and going late. sometimes have to wait 20 minutes for a reply. Took back to the Best Buy store Geek Squad and there they find nothing wrong with the AU install or Skype. In fact they rolled back to the orignal Win 10 and reinstalled the AU as they suggested I might as well as it will soon be shoved down my throat anyhow and it may be worse. I actuall went to the store one night and used my PC there at the store and chatted with someone and never froze once there in about 45 minutes and messaging is perfect. Took it home and hooked up and the same problem. I have cable ethernet. My Bitdefender keeps my PC squeaky clean plus the Geek squad does an optimization fire before they fix anything and again squeaky clean Pc. I have searched Skype and they don’t even mention a freezing problem. Went to community forum and sent them my results from the Run box for dxdiag.exe and haven’t heard yet about that. I can go on and on about what I have tried from googling web sites and fixes and most are old. Geek Squad says they find no problems with Skype by a method they use. Of course at their store their internet hookup etc is better than the avg person. I called my internet provider I have no cable or connection problem there and my modem is brand new. Any suggestions here about the AU messing up my Skype possibly. Sorry for the long.

In the 3 or 4 years since installing the OS I have indeed hidden some updates ( in total less than 10 ).
Dunno, I’m a masochist and would prefer to avoid nuking the distribution folder… call it an engineer flaw. 😛

Skype, globally, has some weirdness in the past months.
Has happened that some had delays / spinning circles in different countries.

But this description is a bit more peculiar… the differences btw the shop and the home connection are the provider and the router.
If we assume the provider has no direct involvment, maybe is the router that for some weird reason needs to have some ports opened.

“When you install Skype, a port above 1024 is chosen at random as the port for incoming connections. You can configure Skype to use a different port for incoming connections if you wish, but if you do, you must open the alternative port manually.”

Well, I went and finally contacted Skype and got a guy to come on and he uninstalled the newest version and installed a different one and so far no freezing. Still having a bit of messaging problems but nearly as bad. So, as good as we can get for now. Still accepting any ideas. Pat

Since becoming aware of Microsoft’s Get Windows 10 drive and this website, I have generally been installing only critical and important updates for Windows 7 after Woody goes to MS-DEFCON 3. After installing updates a few days ago I very quickly skimmed the KBs for each of the twenty-five Windows updates that are still available to install. Three of these updates, KB3172605 for July, KB3179573 for August, and KB3185278 for September are titled “[Month Year] update rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1.”

If these monthly updates are truly rollups of all of the respective month’s updates why do we also get additional individual updates? Also, were there any similar rollup updates prior to July 2016?

As far as I can tell, the monthly “update rollups” started appearing in July, as part of a test for the new method of updating Win7/8.1. More about that in an InfoWorld article that should appear shortly.

They are NOT cumulative updates.

We get additional individual updates because Microsoft hasn’t ironed out all the problems with its new patch delivery method.

Thank you Woody & ch100, I finally got updates following the Canadian Tech directions in ch100’s message. After doing the Canadian Tech instructions I did updates in 15 minutes!!! ch100 indicated that hidden patches may have added to the problem, and I have found5 hidden patches: office kb2791057, win7 security updates 2984972, 3076895, 3080446, 3093513. Should I unhide these and NOT install them? Would win update take them away if they are not needed? or do I leave them hidden? Thanks again.

So I plan on doing a fresh install of Windows this patch Tuesday on a spare hard drive to test out the new patches before deploying them on my main installation.

Since updates are going cumulative will all the current patches for Windows 7 & 8.1 be rolled into one update from the get-go or will they gradually be incorporated into the cumulative updates?

I Haven’t been able to work that out. Can you clarify for me Woody? Just so you know I plan to do a clean install of Windows 7 SP1 in trial mode. I usually install updates right away but I think if the cumulative updates do become a problem I’ll start following your MS-DEFCON System. Thanks.

I am not usually in favour of resetting the SoftwareDistribution folder which is only a cache, but in many cases users attract WU failure on themselves by claiming to know better than Microsoft by hiding updates, while at the same time insisting to use a Microsoft product.
All the recent workarounds with speed up patches should really be useful only for new installations and not for Windows 7 installed many years ago.

I re-read some information from aboddi in few places and it appears that the Convenience Update has pre-requisites which are not made clear in the documentation. The big rollup patches Feature Pack like products which are already installed. Some of them are the Platform Update, RDP8/8.1 and few other.
So the Convenience Update is not a fix for everything, although it may be useful if used as intended.
For now, I think the most reliable way of patching is still installing the patches as they were released on Windows Update, with few tweaks to “grease the wheels”, like Dalai’s method and/or Canadian Tech’s method.

yes, except that the Agent that microsoft pushes automatically (and checks daily versus) is 7.6.7600.320, and it’s 2 or 3 versions older than the agents linked on the german site.
Moreover elsewhere is mentioned that that very agent, 7.6.7600.320 , has issues.
This to say that sometimes Microsoft doesn’t know better.

Woody: I came across some interesting information regarding the prerequisite updates that must be installed on Windows 7 and Windows 8.1 systems in order to bring those systems up to Microsoft’s “baseline”, i.e. to make those systems eligible to receive updates under Microsoft’s new updating protocol which goes into effect in October 2016. I think you and your readers might be interested in the following excerpt from Nathan Mercer’s August 15, 2016 article on the Microsoft TechNet website. The link is:

In Mercer’s September 20, 2016 (10:06 am) reply to a commenter, Mercer says: “Systems need to be at Windows 7 Service Pack 1, or November 2014 update for Windows 8.1. We don’t expect to have any other prerequisite right now.”

For those of us (like me) who are running Windows 8.1, I believe the “November 2014 update” that Mercer refers to is the dreaded, highly problematic, massive (over 700 MB), November 2014 Update Rollup KB 3000850. The most current Microsoft online support page that I could find for KB 3000850 lists multiple known issues and complex workarounds for this update (the support page itself was last revised on July 17, 2015 — that’s right, 2015 — and is up to revision 14). Do you have any reaction to and/or suggestions regarding the above?

Nathan Mercer says “We are planning to add these previously shipped patches over the next year and will document each addition so IT admins know which KBs have been included each month.” making it sound like current patches would be rolled into the monthly updates over time. But his replies in the comments say individual patches will no longer be available after October.

So will ALL the current patches no longer be available after October or will the current 230 some patches still be available until they’re rolled up into the monthly updates? That’s what I was wondering.

I did try the continence rollup once. It didn’t work. Since it uses ActiveX and IE is a piece of crap it wouldn’t download. Although I did discover a combo of patches that work wonders for Windows 7 updates on a clean install in terms of the scan time. I forget which ones at the moment. When I find out I will reply to this comment.

In short, Nathan’s planning on adding all of those 230 patches to the rollup, but it isn’t going to happen any time soon. The patches will continue to be available, I think, forever – although Nathan didn’t explicitly say that.

Wait for my Patchocalypse article – should be up on InfoWorld shortly. If you have questions, yell!

You’re right on both counts. Microsoft won’t install anything on original Win 8.1 machines. You have to have “Update 1” – since renamed to “Update,” and now largely not mentioned in casual conversation. That’s 3000850.

I install these at the same time as my programs and drivers without any other patches installed. Maybe you’ve seen this combo before. If not just thought I’d throw them out there. So if you’re doing a clean 7 install these will work wonders. Might help someone else out there.

Is it “necessary” to set up the Group (B) BEFORE I install the few updates which I have?

I don’t think it should make a difference, however I “definitely” do not know for certain and I need to get started setting up my Group B requirements as you have set them forth.

Apologies for not asking this question sooner. As soon as I get the Group B set up as directed, I will then try Canadian Tech’s directions for the new “forever UD Patch”. Thank you, as always, for your invaluable help. 🙂 🙂

KB3000850 is the so-called “Update 3”, although Update 2 was largely unnoticed and not required with KB3000850 installed.
Update 1 (Service Pack 1) was April 2014 KB2919355 and is required for about everything.
KB3000850 is like what we are likely to see starting this month.

If you got that information from WindowsUpdate.log, I agree with you. However I believe that there is something hard-coded at some level in WU which makes reference to 7.6.7600.320. If you have a later agent installed, known good ones are primarily 7.6.7601.23453 from KB3172605 and the previous one coming with the Important patch KB3138612, then 7.6.7600.320 is likely referred to as a placeholder, but in fact the good agent version is used. This is my understanding and experience at least.
7.6.7600.320 has major issues by itself and is primarily responsible for high CPU/high RAM consumption and an inefficient supersedence calculation algorithm.
What I actually said was that for those regularly updating at least with all Important patches month by month, they should not have encountered any issues. All means all (Important or Important + Recommended, so called Group B vs Group A). Selective installation does not count.

I want to clarify something here because it comes into discussion often. I have been following Woody regularly since August 2014, when we started having a lot of bad patches until the end of 2014. Some people here argue that some patches had problems at their time of release, KB3020369 is one good example, and they have not installed them based on a certain article written by Woody warning that there are ongoing issues immediately after release. We are now after 18 months and they still haven’t installed. This is not acceptable because Woody has changed regularly his recommendations every month saying install, install with reservations etc. This is what I call arbitrary selective updating. It is normal that those users experience problems blaming anyone else other than themselves, which made Microsoft take action and enforce mandatory updating, affecting everyone else now.

For those doing new builds, you are right, Microsoft does not know better because primarily of 7.6.7600.320 which was good enough for a while, but it proved inefficient when too many patches were released, while the exact timing was largely dependent on each end-user computer specification.

Hmmm, more surprises coming…
Will we end up with a Windows 10 like updating mechanism?
Office and .NET 4 patches cannot be included there because they are not part of CBS, neither silverlight, Skype, MSE, but .NET 3.5.1 and everything else can be.

The Convenience Rollup is not on Windows Update, possible because of the known bugs which you may be the first who noticed and made public. It is in this matter somehow non-typical and I would not include it in the regular patching schedule. Unless it comes on Windows Update. Microsoft Update Catalog is a specialised tool and not recommended for the wider population. But this may be the exception confirming the rule, in which case you are right to include the Convenience Update in the regular patches.

This is what was meant, maybe the wording that I used was inaccurate strictly speaking.
Pre-requisite means that you cannot install without the pre-requisite being installed first. It is not the case here, but it installs incompletely nevertheless.

Susan Bradley is a fan of installing the Convenience Update without taking in consideration the “Feature Packs”.

Are you in favour of installing the Convenience Pack if the Platform Update and all the other relevant bits are installed first? I think the Convenience Update is offered later again to complete the installation if one of the other components are installed post Convenience Update.

I am asking because I am undecided and I said elsewhere that even if I don’t recommend it, I don’t consider bad practice to install it either.

I think you are right, they were good patches when they were released. Only that we have newer patches doing the same thing and apparently better, superseding those which you mentioned. Check this one https://support.microsoft.com/en-us/kb/3138612
You will need KB3020269 for it and end up with Canadian Tech’s solution.

Further investigation of a problem during a computer club meeting showed a problem logging into a network with w redirect to its local login page. The page uses some old SSL or TLS protocol, which just got blacklisted by major browsers, including Edge and IE 11, Chrome and Firefox. (In fact, Chrome and Firefox outlawed insecure protocols long ago.)

Bottom Line — I had to go into IE, change some Internet Options, and allow some insecure protocols to connect to the public wifi network’s login page. Then I reset IE to All Defaults and High Security, and my other web surfing worked like a charm.

AT&T DNS may not have gotten the memo about banning insecure protocols. But Microsoft Sites must have had it right in line with their own MS Updates. So the Microsoft Sites were rejecting the insecure DNS messages and possibly all traffic passing through those DNS Servers.

Today things are apparently back to normal with AT&T DNS and Microsoft Sites. My third PC (the NUC) did not need any DNS gymnastics before, during or after MS Updates were applied.

But the public network login apparently hasn’t got the memo (and the updates) yet.

The fact that the June’s update rollup was replaced by July’s and May’s rollup was actually the Convenience Rollup which is only offered through the Microsoft Update Catalog explains why, despite discussion on the internet of rollups for May and June, neither have been installed or are pending on my computer.

Thanks to abbodi86, Woody, and ch100 for bringing clarity to the monthly update rollups.

Thanks. I’ll try the March Client update when I do my test install. I found for the longest time that kb3112343 & kb3135445 worked really well for a clean install in terms of cutting down scan time. But if the March one does it better then I’ll start using it instead.
“You will need KB3020269 for it”
I think you made a typo. I think you mean “KB3020369”. You had a second 2 in there instead of a 3. But I get what you mean. But anyways. Thank you for the tip.

You know ch100. The part where you talk about Microsoft’s enforced updates has made me think. Microsoft pays their developers to still patch Windows 7, and 8.1. Microsoft doesn’t want to support them anymore. They want Windows 10 and just Windows 10.

I often get asked by friends, family, and colleagues how they can stop Windows from updating. And I tell them I don’t recommend it. Since I’m that guy who everyone comes to when they need help with their tech I always tell them to install updates. But they don’t because it require them waiting 5 or so for the reboot.

It really frustrates me that people are so impatient that they can’t take 10 minutes to install updates as they come out. And it’s an easy thing to solve by starting updates before going to bed or work or whatever.

I mean Microsoft could just say they’re no longer going to be supporting 7 or 8.1 and just focus all efforts on Windows 10. And then the people who don’t want Windows 10 will say they that Microsoft should just keep supporting 7 and 8.1. And then I’ll tell them “You never installed updates anyways. What difference does it make?” and because people never installed updates now the power user and sysadmins get the short end of the stick.

I mean from a security standpoint it’s important to update Windows. It’s not as secure as OS X or Linux. So you really need all the security updates you can get. But people don’t update. I don’t know why it’s always such an excruciating thing for most. I could understand if updates are bricking computers. But it doesn’t happen most of the time with 7 or 8.1. On my machines at least. Most people are too impatient to reboot. So now the rest of the 7 and 8.1 users who do update, but want to avoid stuff like Windows 10 upgrades and telemetry have to suffer because of it.

I feel there should be a fourth group. People who get their computers. Never change any settings, and get told to reboot for updates but then never do. Non tech savvy people like your parents who don’t care about updates or anything and just want it to work. Different from Group W. Group D maybe? “D” for “Don’t know. Don’t care.” Or maybe “U” for “Uninformed.” I don’t know.

Anyways sorry for this long rant. I just had to get it out of my system. I suppose if someone has concerns over stability with patches or anything of that concern I’ll refer them to Woody’s MS-Defcon system. But for the most part when I get asked about updates, I tell them they should really update.

always impressed with your technical knowledge, so thanks for your all your help in the past. I want to revisit my hidden updates before next Tuesday, and I recall you detailed the problems with “long-term” hiding, and what to do about it.

It wasn’t just to unhide them, but also something about clearing the history cache et al.

Would really appreciate if you are able to find the link to your article. Thank you.

ps; I’m using W7SP1x64 and was in Group B but thinking of dropping out altogether along with my tin hat.

Off topic I know but dont know where to put it.
Today I have got a big green tick on my files in documents. I have renamed some and that seems to have taken it away but I have one very large file related to geneaology and I done want to lose it.
Can you tell me what this tick is and can I get rid of it. Thanking you. I am using windows 7

I may just wait for patch tuesday, it’s getting to the point where I’m loosing confidence in microsoft with the updates. I mean come on, they are clearly not in the right state of mind, to the point where us as users are going to have to start protecting our computers ourselves. I mean come on seriously, isn’t it true that a majority of computers getting hacked are a result of their owners being stupid and going on sites that are known to be riddled with malware.

As for letting things through, oh come on, in this day and age AV companies are constantly updating definitions, as well as a majority, supposedly, of users also have anti-malware and/or a firewall up at all times.

As for the whole browser thing, I get the fact IE is needed to access the internet, but seriously, is it really even needed, just look at Win10, it doesn’t even have IE, yet can access the internet just fine. Just look at Apple and Macs, they don’t even need a IE-like pseudo-browser to access the internet.

As for the Patch Tuesday thing… Gawd, is Microsoft living in a time warp or something? Are they not aware that no other os maker follows that update model anymore because… Surprise, it’s not effective, especially if a hacker creates a bug RIGHT AFTER patch tuesday… The infected computers are SOL till the next patch tuesday, whereas other os are patched quickly. I mean just look at the recent IOS 10 debacle with the bricked phones, Apple had a fix within hours… Microsoft would take a month to get the fix out due to it requiring a hotfix, then releasing the hotfix on the next patch tuesday due to it having to be tested ‘extensively’.

Really? Really? You are blaming the victims for being afraid to install the problem patches?

You might be good at technical stuff but you forgot that not all of us have either luxury of just getting the computers to repair shop if there is problem, nor having technical knowledge to fix it ourselves. Many people still use their computers for work and every days with no computer equal no productivity or at least, much reduced productivity. For some of business, it might actually makes difference between bankrupt and staying afloat. So what you are saying is unwise for us with no luxury of time or expertise to just fix it.

Besides, the issues with KB3020369 is not yet fully resolved. Last I heard from Woody was that he has not heard of any large issues now. However, he never wrote any of articles or post that said people has go ahead with that patch, and even the article about installing KB 316047 (the one with updated WU agent and Bluetooth bug) with has the patch KB 3020369 as prereq, Woody still warn the users to proceed with cautious about 3020369 as he was not sure if all of issues was fixed. So for many of people, as far as they know that patch is still bad as there is no word otherwise, nor the word that MS has fixed it.

Besides, it is MS’ fault, not the users. Many of patches had bricked the computers, or degraded the computer badly. Often there is no fix, at least for not long time. No quality test (unless you want to count us) at MS, no care and no effort. No, Microsoft does not know the best, not especially those days.

In the other words, you might be right about the technical aspects, you need to remember that not all of us are the same as you. Nor that all of the people who do not the same as you are stupid. Be charitable and aware that some people have different issues than you do and different needs as well. After all people do have different computers and some of posters here have reported that their computer can’t take various patches. Besides, usually those did not select update had reasons and researched on this (else they would have kept auto-update on). So, don’t assume.

Except for KB3020369 which is Important non-security in WU, all other updates are Optional, although KB2670838 is the main pre-requisite for IE10 and IE11.
This is another proof that some of the Optional updates if not all are actually very useful to enable full functionality in Windows.

The main problem with Optional updates as I see it is that they are sometimes unreliable immediately after they are released and need to be revised or there is further setting required. After few months though, sometimes it may take even 6 months for reaching full stability, they should all be installed.

Thank you for your “rant”. 🙂
I think the issue is compounded by Microsoft requiring too many updates and too often and in most cases they are too intrusive. This fact alone puts users like yours off from updating.
I think what they try to do with the rollups is to implement a similar updating mechanism with iOS where you have one large update, in most situations fully documented, but which you either install or not. You cannot select areas of interest in a patch from Apple.
There are other problems too. The reason that Windows is more complex is that by design it has to run on almost any hardware available, it has to run software largely out of Microsoft’s control and is more functional in this regard.
More functionality means more complexity and inherently less security.
Sometimes it makes me think that back-end computing should have never been allowed in the wild outside of universities or other interested entities like the Department of Defense who have the capabilities to do the relevant research and secure the systems at the best possible. This may be what the evolution to the Cloud is in fact, back to where IT back-end should belong and not to have every person on the planet act as a system administrator.

Woody, I read few times what you said about snooping and the fact that Group A types are more exposed to snooping than the Group B types.
I am not convinced that this accurate, because we actually identified here and on other sites that there are currently only 5 (five) patches which modify the snooping behaviour. Out of those 5 patches, only one KB2952664 and its follow-up KB3150513 are really annoying, changing previously documented behaviour.
KB2952664 and KB3150513 are not recommended even for those in Group A.
I raised recently the question of the usefulness of KB3021917 which seems to be compliant with documented behaviour, but it does not serve any useful purpose either.
Those 2 or 3 patches are not really recommended for either of the 2 major groups.
Then why would the Group A users be more exposed to telemetry without consent? Is it about future patches which could potentially do the same like those already mentioned or those retired after the free upgrade offer ended?
I still believe that antivirus product are more capable of telemetry than any patch or functionality built-in the Operating System due to their unlimited access and due to their nature, their less documented behaviour.
MSRT does daily scans starting with Windows 8 and sends information to Microsoft following each scan, unless a certain registry key is configured. The scans are triggered in Windows 8 or later by the Maintenance Scheduled Task. In Windows 7 there is only one monthly scan by default.
I don’t know what the other non-Microsoft antivirus products do out of the box, but I can only imagine.

Yes, it was typo.
Some posters who know well what they post claim that the agent contained in https://support.microsoft.com/en-us/kb/3172605 is even better than https://support.microsoft.com/en-us/kb/3138612 which is possible, quite probable.
The reason I tend to bring the March agent more often in discussion is that I perceive it as more stable and it is pushed as Important, while the other one which is a rollup, not only an agent is pushed as Optional at the moment.

I don’t know if any other windows 8.1 users had this happen. but I only had two updates show up KB 3172729 (security) and KB 3177723 (non-security). Are these the beginning of the rollup patches that Microsoft is moving us to?

Thank you Old Dog. I am impressed with how popular this thread has been due to Woody’s talent in finding the right subjects for each of his blog posts. 🙂
The master article is this one https://support.microsoft.com/en-au/kb/971058
This is complicated and overkill so I will tell you exactly what you have to do.
1. Log in as Administrator – the user named Administrator, not other user.
2. Open Services console and stop: Windows Update, BITS and Windows Modules Installer (known also as TrustedInstaller)
3. Delete C:WindowsSoftwareDistribution folder
4.Reboot your computer.

Please be aware that by deleting the SoftwareDistribution folder you will lose the update history, but all installed updates are in Programs and Features under Installed Updates.
All current hidden updates are restored, while those who are obsolete because of Microsoft expiring them in time, are no longer causing issues as the cached database is clean and created as new.

I would suggest you giving a try to Group A, but this depends on your level of comfort in relation to Windows Update. Woody traditionally leans towards Group B in his recommendations because among other things they are addressed to a huge number of diverse users, but as he said recently, there is a lot of value to be gained by being in Group A.
Both Groups of users should be OK.
The main differences are that in Group B you get only Security Updates plus the minimal set of reliability updates, while in Group A you get all the features enhancements as few as they may be in the future for Windows 7. In Group A you would be able to use Windows 7 to its full potential.

Well the way I see it. By using their OS and installing updates you are giving consent. People got to remember. It’s not their software. It’s Microsoft’s. Just saying.

As for people who think Windows 10 is “spying” on them. I don’t feel they have a right to complain because it’s in the EULA they didn’t read. Said right there in the fine print. They will collect and preserve data. If they didn’t state it and collected data then yes it would be a different story. But they are up front with it. And every Windows 10 user gives Microsoft consent to do it when they click “I agree.”

I don’t like it either, but that’s the way it is. If they don’t agree to it then they shouldn’t be using Windows 10. But then they also shouldn’t be using things like Facebook, Google, smartphones, computers, or the internet in general. Your ISP can see what you’re doimg. But that’s just my two cents

I said it how Microsoft classifies the updates, it was not my classification.
Anyway I did further testing and found that indeed the agent contained in KB3172605 is superior and I will stop recommending KB3138612 from now on. 🙂

Okay. I just wanted to check, how IMPORTANT are getting all these updates in is. As in if the computer is only used for class work and gaming with an AV running full power with constant av definition updates, and a firewall, how much of a risk is the person running if they don’t update windows at all?

If you must know, the only reason I’m asking that is because of M$’s track record, last thing I need to happen, is to put in a rollup patch and boom, computer won’t even work due to a flawed patch in the rollup, considering the computer I am typing this on is my only one, and used for day to day stuff like classwork and gaming (which I have Authenticators for, which said authenticators are not on the computer, and even then, to even remove the authenticators require not only a pass, but e-mail confirmations) As well as e-mail notification in case of a hack on a program, like the yahoo password slip up for example.

It is like people complaining about the Lightning socket replacing the analog audio socket in iPhone7, while they actually own a different model and nobody forces anyone to buy the new one. If it is a bad decision taken by those responsible in the company, then the market forces will sort it out.
With Microsoft things are slightly different due to their perceived monopoly-like position in the market. However, what is happening now is exactly due to Microsoft losing their monopoly-like position in favour of the other major players and trying to restore the balance in their favour. Unfortunately for Microsoft, Windows 8/10 design achieves exactly the opposite, even for long term supporters.

@Woody: In Re: KB3172605. I am seeing information that this update is okay, however I also note that it is one of the updates referenced as a “manual update” by Canadian Tech to get the “forever “Magic Patch”. I already have the other one (KB3020369).

I am assuming that it is best to follow the explicit directions provided by Canadian Tech to get the “Forever Magic Patch”.

Please clarify this point for me? It appears that a “manual install” should be utilized, and not just updating from the “UD list”.

I sincerely appreciate your guidance with following Canadian Tech’s directions, about KB3172605. Thank you very much for your help.

I haven’t seen anything recently about KB3175024, which had EMI problems. It is the only security update remaining to be installed, and I’m wondering if it’s “safe”. It’s a whopping 20.6 MB, at Revision 4, and last reviewed on 9-29-16. Because of its size it could contain many changes??

I hope to begin setting up for the Group B tomorrow, so am anxious to get the security updates installed.

Thank you CH100 for both the link (yes – it is a complex article) and your concise explanation.

I first met MS in early DOS days, then entered into a life long association with Windows. In my youth, we were taught principles not just handed solutions. Calculators were unknown – slide rules only.

As such, I have always researched updates prior to installation. Early KB articles were usually informative. MS Security Bulletins and MS Catalogue also helped. I did occasionally refuse the odd update, but refusal mostly meant waiting awhile before finally installing if proven to be reliable. This included optional updates. So you could say that I WAS group A type – perhaps a founding member.

At this point, I should mention that starting with Win 85, I purchased a new PC with each major OS introduction. Like most I found XP very good (at the time). Unlike most, I enjoyed Vista. The change to Win 7 was easy.

Canadian Tech is right when he says that 2014 marked a change in updates. I would go further and say that even in late 2013, I was seeing a difference in the type of data released by MS – I would suggest MORE articles, MORE cross-referencing but LESS true information to enable informed decision making. However, after so many years with MS, I TRUSTED them to continue as before and put the lack of true information I was seeing as a reflection of the increasing complexity MS were trying to manage with so many different Operating Systems (and versions) still in use.

So what went wrong ?

MS abused my trust. They say the unspoken word is not a lie, and so the KB articles contained a lot of words, but stopped saying anything. I found myself spending hours googling for information but coming up with nothing.

I muddled on with installing updates, trusting MS, until end 2014 when I decided that I wanted a life outside Windows Update and so I amended my settings to “Check, but let me choose” and only installed Security Updates in arrears – 2 months minimum.

I should mention that I do not use Office (MS Works is simpler, runs on Win 7 and receives no support from MS). I use Avast antivirus and MBAM. CEIP is turned off along with a few unwanted others. I DO use Internet Explorer.

This would make me group B.

So where am I now ?

Have revisited all non-security updates released from January 1st 2015 – installed a few, notably 3020369 service stack, 3138612 WUA, 3182203 Time Zone.

I have taken a different approach to most. No clean install, just a thorough review of what I have already installed, plus reading and reacting to the countless informed discussions on the web – especially those here hosted by Woody. So thank you to all contributors over the years – particularly CH100, Abbodi 86 and, of course, Woody.

Win10 1511 here. Installed KB 3185614, to bring it up to build 10586.589 and all is running well.

The only quirk I observed after the update was that TiWorker.exe (Windows Module Installer Worker) a process that is related to Windows Update Service, ran at a high CPU level with heavy C: drive access for about an hour. Mostly on C:WindowsSysWOW64 and C:WindowsWinSxS

I let it finish and all is quiet now. Rebooted once after it completed and it did not run again. I guess it’s just a one time thing, but may take a while longer if you are running older, slower hardware.

Note: This is in reply to a comment of yours that appears “above”. I am replying to this alternate comment because the comment I want to reply to does not have a reply button (it had already reached the last “reply” level that is allowed by this blog template/host).

My comment:

You wrote, “There should be no system without KB3172605 installed unless those not having it decided to stop updating completely.”

[Note: It’s hard to keep track of the numerous comments here, and particularly this week I have not seen all of the contributions to Woody’s site, and information moves on quickly…
but given what I do know from a couple of weeks ago, I am wondering the following — ]

Why do you make that statement as a blanket recommendation for everyone, when:

1. That patch does not show up as important and/or checked (at least in my Windows Update).

2. There is a set of computers that cannot install that patch because it screws up their Intel Bluetooth, for which there has been no remedy yet provided by either Intel or the computer manufacturers of the affected products.
(This includes my computer – it screwed up my computer last month and I had to uninstall that patch after only a day.
According to what I saw on my manufacturer’s site, it might be that my computer will not get a fix because it’s 3 years old.
Therefore, I may never be able to install that patch, and thus this might be one reason why I could not be in the “compliant” Group A from now on, even if I wanted to.)

3. One may not need 3172605 to speed up the Windows Update check for the September patches – Dalai’s solution to speed up the September patches, used on its own without simultaneously installing 3172605, worked great for speeding up the Windows Update check for the September patches for my computer and another computer that I do the maintenance for. Also, after the September patches were done, the Windows Update check still runs quickly on those 2 computers that I manage.

Woody
One of my Windows 7 PCs will not download seven (4 failed and 4 won’t [try again]) of Sept security updates and the software malicious removal tool. I know people have mentioned a way to do this manually from a MS website but googling I can’t find anything that applies to Win 7 non-IT managers.

Well the catalog doesn’t seem to work for me. I thought the download would be exe. files but apparently not. I’m getting the interminable searching for updates on this computer when I try to open it. I give up. Screw this updating process security or not.

I used to recommend KB3138612 as the best Windows Update agent, which is also designed as Important, which means mandatory for Microsoft (and in my view).
While this agent is good enough for most situations, I encountered other situations and @PKCano mentioned it as well few times, when KB3138612 and all Dalai patches may not work to speed-up the scans. There are not many of those instances, but they can be reproduced and have been reproduced as I said by other users.
In those situations where KB3138612 and all Dalai patches did not speed-up the scans, KB3172605 provided a good solution. In fact I suggest installing Dalai patches plus the so-called Canadian Tech’s solution which involves installing KB3172605.

For those users experiencing specific issues like the Intel Bluetooth problem, KB3172605 seems to break their systems. In such a case, the offending patch should certainly be avoided if it breaks required functionality.

There is no urgency in installing this patch for those users not experiencing any slow scanning issues, but it is still a good thing to keep it in mind as a useful trick.

To summarise, it is clear that there are situations when KB3172605 is either not required as a matter of urgency or not recommended at all.
My advice was generic for most users and in line with the general advice here provided by Woody when someone experiences slow scanning.

You should install all Important updates, security and non-security.
I noticed that you have already installed the really useful ones, the stack update, the March 2016 WUA and it is good practice to install all the time zone rollups, although some may not find an immediate advantage.
KB3172605 does not replace KB3138612, but both coexist side-by-side as the latest one is not only an agent, it has other components included. If you are not affected by the Intel Bluetooth bug, then go ahead and install KB3172605.

It is all good, but it may be too high-tech for a lot of the readers here. 😀
Your approach does provide an answer for those concerned about the Intel Bluetooth bug.
Let’s keep it at the level which is supported by Microsoft using the tools commonly available.

Installed KB3172605 this evening and the sky isn’t falling, so I’m hoping that all will be well come Tuesday and that I won’t have to wait the almost 30 hours I had to wait last month for one of the checks for updates I did to finish. I’ll definitely report back on it.

I think that they will name the future rollups as Security on purpose, just because a lot of people have traditionally been looking for the Security word in the title of each update, missing other important updates in the process.

Based on Woody’s Defcon 3 message, yesterday I successfully installed the following on my Win 7 SP1. Now it takes a bit longer to open programs like CCleaner, FamilyTreeMaker, OpenOffice and others. Plus my Epson Scan program shows me a different UI screen. So weird. Other than that, I don’t see any problems; but I do wonder why I see these changes. Any ideas? Thanks so much Woody for your work and everyone for your comments on this and other MS issues!

Oh well, I wonder how it will go when I finally manage to power on again the pc.

The 6th I had 5 security patches waiting to be applied upon hitting shutdown, then my videocard decided to die on me (even if I suspect it got corrupted by a mix of silverlight and a 3d game, erm).

I’m not going to manage to get a “new” card until the 17th

If someone wonders why taking so many days, this otherwise very nice xeon workstation refuses to pass the bios splashscreen unless having a card it likes.
And I’ve no clue what more modern card would work ( this is a different topic entirely, but if someone is skilled in these weirnesses, I would like to brainstorm a bit )

KB2952664 is one of the patches that paved the way for upgrading to Windows 10. The update for the MSE program itself (not the definition update, mind) removed the ability to right-click on an item and scan it individually that way.

I installed KB3182203 on 8th October.
The previous DST patch KB3177723 installed 23rd August remains on my system even after running disk cleanup for supercedence. These are the only 2 DST/Timezone patches on my system.

abbodi is correct.
KB3177723 is superseded by KB3182203.
The supersedence is documented in the Catalog and it comes up in a graphical form in WSUS, the small-medium size enterprise update tool.
I wouldn’t worry much and follow what abbodi said.
If you want to do further testing, uninstall KB3177723 from Windows, do whatever restart is required and scan for new updates. If you decide to do this, let us know if KB3177723 comes back as required, as you might discover a bug in how Microsoft implemented supersedence for this patch, although this would not mean much.

Thanks, Squall. Perhaps MSE was ‘relearning’ which caused the slight delay in opening programs, as things are opening as usual now. I never used the right-click scan individual item function, so that’s not a problem for me.

Currently in group W with WU set to Never ….
thus with no hidden or recommended updates. Prior to switching to Never, had 5 September Security Patches not installed (3185319, 3175024,3177186, 3184122 and 954430 from way back which re-appeared last month) plus around 30 non-security patches after following your advice ref deleting my SoftwareDistributionFolder (your instructions worked perfectly – thank you again).

Then deleted KB3177723 – rebooted, although not prompted to do so (no screens showing wait while configuring etc). Everything went ok, KB3177723 no longer installed. The only DST/Timezone update installed is KB3182203.

Checked for updates without changing the Never setting and got just 1 important security update – KB3175443 – which is the cumulative IE update from August. I always wait 2 months before installing IE updates.

It begs the question why September KB3185319 was not shown but September KB3175443 was.

KB3185319 is still detailed in MS Catalogue, but have not tried to download it. Perhaps MS have already incorporated it in the October Cumulative Security Update due today.

Find it curious that when i did enable WU today just to check things out around 5:30ST it ran for a couple of minutes and told me my PCWin 7 was up to date.
No updates available.Was expecting to see a roll-up or something.
Checked installed updates and they didn’t sneak anything in the back door.
Checked GWX Control panel and everything looks clean.
Microsoft taking a consumer hint after all these years? Doubtful, but seems strange there were no updates at all.
The shifty, dirty, money grubbing ***** have to be up to something.

Not seeing any Win7 updates – I’m not showing any of the expected security+non-security roll-up (“Security Monthly Quality Roll-up”)and a .NET roll-up (“Security and Quality Roll-up”).
Already had (CEIP) at ‘NO’ and didn’t see any of the (3) patches that “ch100” mentioned in ‘Installed updates. Re-scanned for updates and still received everything is patched.

@rc primak
“I should not have posted that this might be a bad patch on Micorsoft’s part (although that remians a possibility.)”

Yes, you should have, and I thank you! I encountered the same problem. I had no idea what was causing my sign-in pages to be blank. I thought it was a problem at the website, and couldn’t find any info on the web. If I hadn’t seen your post I don’t know If I’d ever have been able to fix it. So here’s my non-techie take on the problem.

The problem was caused by one of these September MS Office 2010 Security Updates (the only September updates I had installed), apparently interacting with U-verse:
KB2553432
KB3115467
KB3118309
KB3118313
KB3118316

After a messy attempt to uninstall the updates, my Outlook/Hotmail sign-in page was back, but I couldn’t post replies on AskWoody.

Today I finally followed a suggestion in my U-verse installation guide, and it fixed the AskWoody posting problem:
Open IE Tools (or Control Panel) Internet Options. On the Connections tab, click on LAN settings, uncheck any checked boxes, and click OK. Only the first box, “Automatically detect settings” was checked, and I unchecked it. Problem solved.

I don’t understand anything about DNS or protocols. I suppose making the LAN change may have been all that was necessary. But the problem started with the installation of one of those Office updates.

So I’ve reinstalled MS Office 2010 and turned off Microsoft Updates. I rarely download Office documents, and I’d rather trust Comodo Firewall blocking and Avast and Malwarebytes scans for protection than trust MS to not to mess up my computer again!

I just installed the following updates:
KB3175024;KB3177186;KB3184122;KB3185911; KB3172605 — All the updates installed successfully. When I checked my WU history, KB3175024 does not show up. It’s also no longer offered in my Windows Updates. What would cause this? Incidentally, Installing update KB3184143 remove GWX)does not remove the following registry entry: ComputerHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionGWX
I, initially, recovered from an OS backup from March 2015. I made sure not to install any known GWX-related updates. Yet, the aforementioned registry key is still listed.

Woody wrote, “You can move from Group B to Group A, but as far as I can tell there’s no way to move from Group A to Group B without completely re-installing Win7 or 8.1.”

Based on my tests with Windows 7 x64 in a virtual machine with the October rollup, the November rollup, the October security-only update, and the November security-only update, you can move from Group A to Group B, or Group B to Group A, without operating system reinstallation. You can also revert to the next-to-last installed rollup by uninstalling the most recent rollup, provided that you did not recently use Disk Cleanup to remove outdated Windows updates. The scope of my tests was only that the given updates installed or uninstalled successfully, and the virtual machine exhibited no obvious malfunction in the short time period in which I did these tests.

So you’re talking about using uninstall to remove the latest Monthly rollup patch?

Yep, I think that would work. If you’ve been installing the Security-only patches, then install a Monthly rollup (thus changing from Group B to Group A), you could uninstall that latest patch and instead install the Security-only patch.

I’m not absolutely sure that uninstalling a Monthly rollup will uninstall all of the patches that were installed in that rollup. I could foresee a situation where that might be impossible.

I actually tried quite a number of combinations of installation/uninstallation of the two rollups (via Windows Update) interspersed with installation/uninstallation of the two security-only updates. Everything seemed to work fine, including going from Group A to Group B. To reiterate though, these were only very short-term tests using Windows 7 x64, and did not reflect long-term usage.

It’s early days for this new updating system, but when the ‘cumulative’ part of the rollup/Group A pathway gets going in the spring and actually includes/applies all historical updates that were ever available for the specific computer, I wonder if leaving Group A would be so easy.

Your point about being ‘rescued’ from Group A only if you haven’t used Disk Cleanup in a while to delete old patches
is why I have never used Disk Cleanup to delete my old patches, because I value hanging onto a copy of them in case I ever need them in the future. (That was recommended by HowToGeek some years ago and his advice made sense to me!)

I didn’t mean to imply that a user can leave Group A only by first uninstalling the rollups. Based on my limited-scope tests, you don’t need to uninstall the rollups first if you want to move from Group A to Group B, although it may be wise to do so. You can, for example, install the October rollup and then install the November security-only update; a big caveat: this is a configuration that Microsoft probably hasn’t tested.

Can the installation of the security-only update and cumulative updates be staggered? For example, we install the security-only update in Month A, the security-only update in Month B, then apply the cumulative for Month A. Would that revert the security patches installed in Month B?

Thanks.

[Answer from] Nathan Mercer
September 14, 2016 at 5:01 pm

Yes, this will work fine. ‘Component based servicing’ is smart enough to only apply newer binaries when you install an update. So when you install the monthly rollup for month A it will detect that you have some newer binaries from month B and will not overwrite them.”

You can uninstall all patches except for the Servicing Stack updates and one of the USB patches.
I did this few times and you can actually get to the situation where except for those few patches mentioned above, you have only the base install of Windows 7 and SP1, if SP1 was part of the original installation.
I had only few issues with pre-SP1 .NET Framework patches uninstall, but even that situation is resolved by stopping 2 specific services before uninstalling.
If there are leftovers, they can be removed by using DISM, however that procedure would be required when the Windows Update mechanism is faulty in some way, including having hidden patches.
The Component Based Servicing stack is very well designed, unfortunately it was neglected for Windows 7/2008 R2 in the recent years and now Microsoft is trying to catch up and fix the outstanding issues.

A few months ago you said that there are cases in which manually installing a standalone Windows update file results in a set of files which were not meant to work together, and that this does not happen when letting Windows Update install the same update. Is that a fair summary of what you said? Do you know of any web references on this? Do you remember a particular update that has this issue?

@MrBrian I think I understand what you were trying to say.
In fact I might have said that installing updates at random by user-defined criteria is not the best practice as it may end up in what Microsoft calls now “fragmentation” of the Windows components, due to inter-relations between various updates.
This is not the same thing with installing a specific update. Manually installing that update is not different than installing it from Windows Update. The difference may be in size (express vs full install), but the end result should be the same.

“Note: The regular end-users should never use Microsoft Catalog or other direct Microsoft download sites for updates, unless fixing something that otherwise cannot be fixed – patches refusing to install otherwise.

The practice of installing manually is very likely to break interdependencies because some updates come with further hidden updates and this has been happening forever, regardless of the big thing coming October 2016. Just look at the (in)famous patch KB2992611 re-release and there are many more examples.”

I thought I would interject here, because it occurs to me that you may still not be clear about Woody’s point of view on the topic of the question you asked above.

As far as it seems to me, that prior quote from Woody summarized Woody’s opinion about patching by regular end-users *prior to November 2016*.

Prior to November 2016, Windows Update was mainly showing people everything that was applicable to their computer,
and Windows Update would have been more reliable and more thorough than the average non-techie would have been at picking out patches from the Update Catalog to apply to his/her computer.

In terms of installing manually now — now that the new post-September updating system is in place — Woody is cautiously recommending manually installing from the Update Catalog, only for those people who want to be in Group B, and only if they follow his given steps exactly.

Note that those steps do still include relying on Windows Update to get .Net and Office patches, instead of trying to get those patches from the Update Catalog.

When following Woody’s Group B steps to the letter, he does not think that “the practice of installing manually is very likely to break interdependencies”.
If taking the Group B path does end up doing something serious like that, Woody will tell people to stop following his Group B steps. But he has seen no indication that this has happened.

And what Group B people are getting from the Update Catalog is not a confusing bunch of 10 or 12 individual updates that they have to juggle around and make sure they get the right ones exactly, but instead it is one easily-found, easily-discerned, ready-made collection of updates that Microsoft has already bundled together in the Security-Only Update for that particular month.

The only reason Woody is even telling Group B people to get the Security-Only Update each month from the Update Catalog is that it is not available from Windows Update. If it were available in Windows Update, he would tell normal non-techie people to get it only from Windows Update.

As CH100 wrote, “Manually installing [a specific] update [from the Update Catalog] is not different than installing [the very same update] from Windows Update,” and Woody would likely agree with that.

Therefore, I do not see any disagreement in the positions that were expressed by CH100 and Woody, just above.

What I meant by being “rescued” from Group A is undoing all the Group A Rollups that the person has installed.

I was defining “leaving Group A” as getting rid of all the telemetry and other non-security stuff from the Group A Rollups which the person has since decided that she/he doesn’t want on the computer.

In my post, I was talking about making sure not to delete one’s copies of old historical patches (from the pre-November 2016, old-fashioned Windows updating system) that have been kept by one’s Disk Cleanup,
in case one starts down the Group A Rollup path and then changes her/his mind and wants to lose all traces of Group A, to revert back to the way the computer was at the end of September 2016, prior to the new updating system.

I was not saying that you cannot be in Group A for a while and download some monthly Group A Rollups, and then after a few months of that, you decide that you will change pathways and move over to Group B, and therefore will download monthly Group B Updates instead — of course you can do that. That is more of a hybrid choice, not really purely one group or the other. Being with Group A for just a few months will install telemetry that will stick with you forever, unless you uninstall those Group A Rollup(s).

Most of us who are going into Group A now are going to want to stay in it long-term, and most of us who are going into Group B now are going to want to have nothing on their computers from Group A, and if they accidentally or deliberately install a Rollup from Group A, but determine that they wish to remain in Group B after all, they will uninstall that Group A Rollup, not let it stay on the computer.

This is Woody’s blog and I am advising anyone who reads this blog to primarily follow Woody’s instructions.
Everything else posted here should be considered just an opinion and all posters other than Woody are equal from this point of view.

@poohsticks: Even if you have used Disk Cleanup to remove old Windows updates, you can still uninstall all of the monthly rollups. Let’s use the analogy of a ladder on a ground, with the ground = no monthly rollups installed, each step up = installation of a more recent monthly rollup, and uninstalling the current monthly rollup = going down the ladder. With this analogy, using Disk Cleanup to remove old Windows updates is like removing all steps below the step you are on; you can still go back to the ground, but not to the intermediate steps.

@Woody: To clarify, do you agree or disagree with ch100’s view on this issue?:
‘As CH100 wrote, “Manually installing [a specific] update [from the Update Catalog] is not different than installing [the very same update] from Windows Update,” and Woody would likely agree with that.’

Plus Membership

Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.

AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.